NixOS/config/base.nix

{
  lib,
  pkgs,
  inputs,
  outputs,
  config,
  ...
}:
{
  imports = [
    inputs.home-manager.nixosModules.home-manager
    ./jawz.nix
    ../modules/modules.nix
  ];
  system.stateVersion = "23.05";
  sops = {
    defaultSopsFormat = "yaml";
    defaultSopsFile = ../secrets/secrets.yaml;
    age = {
      sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
      keyFile = "/var/lib/sops-nix/key.txt";
      generateKey = true;
    };
  };
  home-manager = {
    backupFileExtension = "hbckup";
    useUserPackages = true;
    useGlobalPkgs = true;
    extraSpecialArgs = {
      inherit inputs outputs;
    };
    users.jawz = import ./home-manager.nix;
  };
  time = {
    inherit (config.my) timeZone;
    hardwareClockInLocalTime = true;
  };
  i18n = {
    defaultLocale = "en_CA.UTF-8";
    extraLocaleSettings = {
      LC_MONETARY = "es_MX.UTF-8";
    };
  };
  console = {
    font = "Lat2-Terminus16";
    keyMap = "us";
  };
  security = {
    polkit.enable = true;
    sudo-rs = {
      enable = true;
      wheelNeedsPassword = false;
    };
    pam.loginLimits = [
      {
        domain = "*";
        type = "soft";
        item = "nofile";
        value = "8192";
      }
    ];
  };
  users = {
    mutableUsers = false;
    groups = {
      users.gid = 100;
      piracy.gid = 985;
      core.gid = 1251;
      glue.gid = 6969;
    };
  };
  nixpkgs.config = {
    allowUnfree = true;
    cudaSupport = true;
    allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ "corefonts" ];
    permittedInsecurePackages = [
      "aspnetcore-runtime-wrapped-6.0.36"
      "aspnetcore-runtime-6.0.36"
      "dotnet-runtime-6.0.36"
      "dotnet-sdk-wrapped-6.0.428"
      "dotnet-sdk-6.0.428"
      "mbedtls-2.28.10"
    ];
  };
  nix = {
    nixPath = [ "nixpkgs=${inputs.nixpkgs}" ];
    distributedBuilds = true;
    optimise.automatic = true;
    settings = {
      use-xdg-base-directories = true;
      auto-optimise-store = true;
      trusted-users = [
        "jawz"
        "root"
        "nixremote"
      ];
      experimental-features = [
        "nix-command"
        "flakes"
        "pipe-operators"
      ];
      substituters = [
        "${config.my.servers.atticd.url}/nixos"
        "${config.my.servers.atticd.url}/webref"
        "https://nix-gaming.cachix.org"
        "https://nixpkgs-python.cachix.org"
        "https://devenv.cachix.org"
        "https://cuda-maintainers.cachix.org"
        "https://ai.cachix.org"
        "https://cache.lix.systems"
        "https://cosmic.cachix.org"
      ];
      trusted-public-keys = [
        "nixos:GAnxnubP07Qu+6v8MErkuAa4uGCR4Npmu4acmQrUXpI="
        "webref:qobPVDWPzbSJ0JIUoLBnWILcc+zbPa16CVAiN8MN6tg="
        "nix-gaming.cachix.org-1:nbjlureqMbRAxR1gJ/f3hxemL9svXaZF/Ees8vCUUs4="
        "nixpkgs-python.cachix.org-1:hxjI7pFxTyuTHn2NkvWCrAUcNZLNS3ZAvfYNuYifcEU="
        "devenv.cachix.org-1:w1cLUi8dv3hnoSPGAuibQv+f9TZLr6cv/Hm9XgU50cw="
        "cuda-maintainers.cachix.org-1:0dq3bujKpuEPMCX6U4WylrUDZ9JyUG0VpVZa7CNfq5E="
        "ai.cachix.org-1:N9dzRK+alWwoKXQlnn0H6aUx0lU/mspIoz8hMvGvbbc="
        "cache.lix.systems:aBnZUw8zA7H35Cz2RyKFVs3H4PlGTLawyY5KRbvJR8o="
        "cosmic.cachix.org-1:Dya9IyXD4xdBehWjrkPv6rtxpmMdRel02smYzA85dPE="
      ];
    };
  };
  documentation.enable = false;
  environment = {
    systemPackages = builtins.attrValues {
      inherit (pkgs)
        wget
        sops
        ;
    };
    variables = inputs.self.lib.xdgEnvironment;
  };
  programs = {
    nh = {
      enable = true;
      flake = "/home/jawz/Development/NixOS";
      clean = {
        enable = true;
        extraArgs = "--keep-since 3d";
      };
    };
    gnupg.agent = {
      enable = true;
      enableSSHSupport = true;
    };
  };
  services = {
    udev.packages = [ pkgs.yubikey-personalization ];
    smartd.enable = true;
    fstrim.enable = true;
    avahi = {
      enable = true;
      nssmdns4 = true;
    };
    clamav = {
      daemon.enable = true;
      updater.enable = true;
    };
    openssh = {
      enable = true;
      openFirewall = true;
      startWhenNeeded = true;
      settings = {
        PasswordAuthentication = false;
        PermitRootLogin = "prohibit-password";
        KbdInteractiveAuthentication = false;
      };
    };
  };
  fonts = {
    fontconfig.enable = true;
    packages =
      let
        customFonts = pkgs.stdenvNoCC.mkDerivation {
          name = "custom-fonts";
          src = inputs.fonts;
          installPhase = ''
            mkdir -p $out/share/fonts
            find $src -type f \( \
              -name "*.ttf" -o \
              -name "*.otf" -o \
              -name "*.woff" -o \
              -name "*.woff2" \
            \) -exec cp {} $out/share/fonts/ \;
          '';
        };
      in
      builtins.attrValues {
        inherit customFonts;
        inherit (pkgs)
          symbola
          comic-neue
          cascadia-code
          corefonts
          ;
        inherit (pkgs.nerd-fonts)
          caskaydia-cove
          open-dyslexic
          comic-shanns-mono
          iosevka
          agave
          ;
      };
  };
  powerManagement.cpuFreqGovernor = lib.mkDefault "performance";
}